Ranger policies

The Db2® Big SQL Ranger plugin supports both resource and tag based policies.

Resource based policies

A resource based policy enables a security administrator to grant permissions to users and groups on a database object or on a set of database objects. A resource based policy that is created within the Db2 Big SQL plugin applies only to authorization checks that are performed by the Big SQL service.

To work with resource based policies in the Ranger UI, complete the following steps:
  1. Click Resource Based Policies on the Access Manager tab.
  2. Select the plugin name under the Big SQL service.
  3. Select a policy from the list of existing policies. In the Action column, there are buttons to view, edit, or delete a policy. To create a policy, click Add New Policy.

Tag based policies

A tag based policy enables a security administrator to grant permissions to tags (or classifications) that are defined in a governance service such as Apache Atlas. To create a tag based policy for Db2 Big SQL objects, configure Ranger TagSync to synchronize the Ranger tag store with Atlas. For instructions on how to configure Ranger TagSync, see the HDP documentation. In Apache Atlas, tags are known as classifications, and you can assign one classification to multiple Atlas entities. For example, to create a classification and assign it to a Db2 Big SQL table, complete the following steps:
  1. In the Atlas UI, click the CLASSIFICATION tab and then the + button.
  2. In the window that opens, assign a name to the new classification and optionally add a description and attributes.
  3. In the SEARCH tab, search for all bigsql_table entities.
    Important: When Hadoop or HBase tables are created in Db2 Big SQL by using the CREATE HADOOP TABLE or CREATE HBASE TABLE statement, the table entities in Atlas appear in two places: under the bigsql_table type and under the hbase_table type. If Ranger tag based policies for a Db2 Big SQL object are to be enforced, the classification must be assigned to an entity with type bigsql_.
  4. Click the + button in the Classification column and select the classification that is to be assigned to the table entity.
  5. Repeat this process to assign a classification to multiple entities, or to create additional classifications.
If Ranger TagSync is properly configured, the new classifications are synchronized to Ranger automatically.
To create a tag based policy in the Ranger UI, complete the following steps:
  1. Click Tag Based Policies on the Access Manager tab.
  2. Click the + symbol to create a tag service.
  3. Assign a name for the new tag service.
  4. On the Resource Based Policies page, add the new tag service to the resource policy service. Click the Edit button beside the Big SQL service entry.
  5. Select the tag service that you created in step 2 and save the change.
  6. On the Tag Based Policies page, you can click on the tag service to view, edit, create, or delete tag based policies. The process of creating a tag based policy is very similar to creating a resource based policy, except that permissions (for example, select, update, delete, insert, create, drop, alter, index, or analyze) are granted at the component level (for example, bigsql). Tag based policies enable permissions to be granted on objects at a level of abstraction that is one step beyond tables and schemas.